Can you suggest how to implement grace period

book

Article ID: 143720

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running API Gateway integrated with Layer7 SiteMinder, one might
like to know how to implement the grace period for the SMSESSION
cookie.

 

Environment

 

API Gateway 10.0
SiteMinder 12.8

 

Resolution

 

At first glance, Layer7 SiteMinder uses an ACO to control the grace
period for the SMSESSION cookie to be renewed, in order to avoid that
"the agent waits from the last accessed time of the received session
cookie before it generates a new session cookie" (1).

As you know already, the API Gateway only support 9 ACO at the moment
(2).

At time of writing this note (2021-05-12), this ACO isn't disponible
for API Gateway.

In order to get the Layer7 SiteMinder ACO parameter SessionGracePeriod
implemented for API Gateway, we invite you to submit an Enhencement
Request (Idea) on the Broadcom page :

  1. Go to the "All Ideas" page :
     https://community.broadcom.com/ideation/allideas
  2. Click on the "Add" button.
  3. In the "Select categories...", select "Layer7 Access Management".
  4. Write a title in the "title" box.
  5. Write a complete description of the Enahcement Request or
     Certification you'd like to post.
  6. Click on "Save" to get the Idea submitted !

 

Additional Information

 

(1)

    Session Grace Period and Update Period Settings

      SessionGracePeriod  

      Specifies the number of seconds the agent waits from the last
      accessed time of the received session cookie before it generates a
      new session cookie. Set the SessionGracePeriod to 0 to disable the
      setting. If the setting is disabled, the agent updates session
      cookies for every request.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/session-protection/session-grace-period-and-update-period-settings.html

(2)

    Fetch ACO Properties to the Gateway Policy for Composing SMSESSION
    Cookie with SSOToken

      The following list of ACO parameters compose the SMSESSION cookie string:

       ATTR_ACO_SSOZoneName constitutes SSOZoneName property
       ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
       ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
       ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
       ATTR_ACO_UseSecureCookies is used to indicate secure flag
       ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

       Note: Except for the above ACO parameters, Gateway does not use
       any other ACO parameters.

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/reference/context-variables/ca-single-sign-on-context-variables.html